DevSecOps is the term being passed around recently. Instead of talking about what it is, I wanted to provide an action item that would be quick and easy to implement into your environment. This method will scan git repositories for AWS keys before making them public.
What is git secrets?
Git-Secrets has the ability to scan commits to prevent confidential keys from being shared publicly. Git-Secrets can work as a middle man to approve or deny the commit depending on the findings of the scan.
Main repository can be found here: https://github.com/awslabs/git-secrets
Lets start by installing the git package with:
[trenchesofit@localhost /]$ sudo yum install git -y
Then we will clone the get-secrets repository with:
[trenchesofit@localhost ~]$ git clone https://github.com/awslabs/git-secrets.git
Navigate to /git-secrets directory
[trenchesofit@localhost ~]$ cd git-secrets
[trenchesofit@localhost git-secrets]$ sudo make install
I posted a test file to ensure the hooks for AWS installed correctly:
[trenchesofit@localhost ~]$ git clone https://github.com/trenchesofit/git-secret-test.git
Add AWS rules for auditing Secret Keys:
[trenchesofit@localhost git-secrets]$ git secrets --register-aws
- AWS Access Key IDs via
- AWS Secret Access Key assignments via “:” or “=” surrounded by optional quotes
- AWS account ID assignments via “:” or “=” surrounded by optional quotes
- Allowed patterns for example AWS keys (
- Known credentials from
Change directory to git-secrets and run scan:
[trenchesofit@localhost git-secret-test]$ git secrets --scan test.py:3:Access Key = AKIAICKMZTVXEHBPKCYA test.py:5:Secret Key = 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 [ERROR] Matched one or more prohibited patterns Possible mitigations: - Mark false positives as allowed using: git config --add secrets.allowed ... - Mark false positives as allowed by adding regular expressions to .gitallowed at repository's root directory - List your configured patterns: git config --get-all secrets.patterns - List your configured allowed patterns: git config --get-all secrets.allowed - List your configured allowed patterns in .gitallowed at repository's root directory - Use --no-verify if this is a one-time false positive
–scan will scan the entire directory for matches. You can see in the output git secrets found an access key and secret key in the file test.py.
This tool is simple to use and allows your team to automate security into the commit process your devs use daily.
Keep an eye on those Devs, and until next time…….
Stay safe in the Trenches of IT!